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We present an adaptation, based on program extraction in elementary linear logic, of Krivine & 
Leivant's system FA2. This system allows to write higher-order equations in order to specify the 
computational content of extracted programs. The user can then prove a generic formula, using these 
equations as axioms, whose proof can be extracted into programs that normalize in elementary time 
and satisfy the specifications. Finally, we show that every elementary recursive functions can be 
implemented in this system. 

Introduction 

Elementary linear logic is a variant of linear logic introduced by Jean- Yves Girard in an appendix of Q 
that characterizes, through the Curry-Howard correspondence, the class of elementary recursive func- 
tions. There are two usual ways to program in such a light logic: by using it as a type system of a 
A-calculus or by extracting programs from proofs in a sequent calculus (see ||2l for instance). 

The former is used for propositional fragments of Elementary Affine Logic in ||6l and of Light Affine 
Logic in HI. However, when the pogrammer provides a A -term which is not typable, he has no clue to 
find a suitable term implementing the same function. In the later approach, the programmer must keep 
in mind the underlying computational behaviour of his function during the proof and check later, by 
external arguments, that the extracted A -term implements the desired function. 

In this paper, we describe a system in which we try to make the second approach a bit more practical. 
Firstly because our system is endowed with a kind of proof irrelevance: all proofs of the same formula 
are extracted to extensionally equivalent terms; and then because the program automatically satisfy the 
given specification used as axioms during the proof. 

FA2 is an intuitionistic second-order logic whose formulas are built upon first-order terms, predicate 
variables, arrows and two kind of quantifiers, one on first-order variables and the other on predicate 
variables. Jean-Louis Krivine described in [4] a methodology to use this system for programming with 
proofs. In this system, the induction principle for integers may be expressed by 

yX,{'^y,Xy^X{sy))^XO^Xx. 

This formula is written A'^x and it is used to represent integers. The programmer then gives some specifi- 
cations of a function. For instance for the addition, he may give: 

plus{0,y) = y 
plus{s{x),y) = s{plus{x,y)). 

Now, if he finds a proof of 

\/xy,Nx^Ny =^ N {plus{x,y)) 

in which he is allowed to rewrite formulas with the specifications, then it is proved that the A -term 
extracted from this proof using standard techniques is a program satisfying the specifications. 
We have adapted the system FA2 of Leivant and Krivine following two directions: 
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• We replace the grammar of first-order terms by the whole A -calculus. We can then extract higher- 
order functions instead of purely arithmetical functions. We have shown in f5\ that the resulting 
system can be described as a pure type system (PTS). We have also built an extensionnal model, 
and re-adapted realizability tools for it. Here we only present the material needed for elementary 
programming and we refer the reader to lH for more details. 

• We ensure complexity bounds by making its logic elementary. 

In the next section, we introduce the grammar for our formulas and describe how we interpret them. 
In section 2, we present our proof system and how we can program with it. In the last section, we 
prove that we characterize the class of elementary recursive functions. We bring our system back to 
the usual Elementary Affine Logic in order to have the coiTcctness. Finally we give two proofs of the 
completeness: one by using the completeness of Elementary Affine Logic (henceforth EAL) and the other 
by invoking, like in El, Kalmar's characterization of elementary functions. We present the second proof 
as an illustration of how to program in our system. Indeed, it will give the programmer a direct way to 
code elementary functions without having to encode them in EAL. 

1 Types, First-Order Terms and Formulas 

We assume for the rest of this document that we have at our disposal three disjoint sets of infinitely many 
variables: 

• the set Vq of so-called type variables whose elements are denoted with letters from the beginning 
of the Greek alphabet and some variations around them (ie. a, /3, tti, a2> --O^ 

• the set Vi of first-order variables whose elements are denoted with letters from the end of the Latin 
alphabet (ie. x, y, z, x\, X2, ...), 

• the set V2 of second-order variables whose elements are denoted with uppercase letters from the 
end of the Latin alphabet (ie. X, Y, Z, Xu X2, ...). 

We also assume that we have an injection of second-order variables into type variables and write ax the 
image of a variable X by this injection. This will be useful later when we will send formulas onto system 
^ types by a forgetful projection. 

Definition 1. The following grammars define the terms of the system: 

1. Types are system ^ types: 

T,a,... := a \ Va,T | a -> t 

2. First-order terms are Church-style A -calculus terms: 

s,t,... := X I (st) I (tz) I Xx:x.t \ Aa.t 

3. Finally, second-order formulas are given by the following grammar: 

P,Q,... := Xtyt2...tn I P^Q I VX: [ti,..,t„],P I yx:T,P \ Va,P | \P 

Theses grammars describe terms that will be used in this paper. A, A and the three different V behave 
as binders like in usual calculi. We always consider terms up to a-equivalence and we do not bother 
with capture problems. We also admit we have six notions of substitution which we assume to be well- 
behaved with regard to the a-equivalence (all these notions ai^e more seriously defined in ll5l): 

1. the substitution T[a/a] of a type variable a by a type a in a type t. 



Marc Lasson 



3 



2. the substitution tlx /a] of a type variable a by a type t in a first-order term t, 

3. the substitution t[s/x\ of a first-order variable xby a first-order term 5 in a first-order term t, 

4. the substitution P[T/a] of a type variable a by a type T in a formula P, 

5. the substitution P[t /x] of a first-order variable ;c by a first-order term ? in a formula P, 

6. the substitution P[Q/Xxi ...Xn] of a second-order variable X by a formula Q with parameters 
x\,...,x,i in a formula P. 

The last one is not very usual (the notation comes from H): it replaces occurrences of the form 
Xti ...t„ by the formula Q[ti/xn]---[tn/xn] and it is not defined if P contains occuiTcnces of X of the 
form Xt\ ...tk with k ^ n. The simple type system we are going to define will guarantee us that such 
occurrences cannot appear in a well-typed formula. 

And since we can build redexes in terms (of the form {{Xx : 'X.t\)t2) and {{Ka.t)x)) we have a 
natural notion of jS -reduction for first-order terms which we can extend to formulas (we write ?i >pt2 
and Pi >j3 P2 for the transitive closure of the j8-reduction on first-order terms and formulas). 

We adopt the usual conventions about balancing of parentheses: arrows are right associative (it means 
that we write A —oB^C instead of A ^ (B ^ C)) and application is left associative (meaning we write 
fi?2^3 instead of (fif2)?3). By abuse of notation, we allow ourselves not to write the type of first and 
second order V when we can guess them from the context. We also write instead of I... IP with k 
exclamation marks. 

Example 2. Here are some examples of formulas of interest : 

1. Leibniz's equality between two terms ti and t2 of type T 

VX : [r],Xti ^Xt2 

which we write it ?i =t t2 in the remaining of this document. 

2. The induction principle for a natural number x 

VX : [nat],\{yy,Xy^X{sy)) ^\{XO^Xx) 

which we write A'^x where nat will be the type Va, (a 
system ^ and where s and are first-order variables. 

3. The tensor between two formulas P and Q, VX, {P ^ Q 

4. And the extensionality principle 

yapyfg : a ^ j8, (Vx : a, fx =p gx) f =„^^ g 

Definition 3. A context is an ordered list of elements of the form: 

a -.Type or x:r or X : [ti,...,t„]. 

In the following, the beginning of the lowercase Latin alphabet a,b,... will designate variables of any sort 
and the beginning of uppercase Latin alphabet A,B,C, ... designate Type, Prop, any type T or something 
of the form [Ti , T,,]. We write a € F, if there is an element of the form a : _ in P. A context F is said 
to be well-formed if "F is well-formed" can be derived in the type system. A formula F (resp. a term t, 
resp. a type t) is said to be well-formed in a context F if the sequent F P : Prop (resp. F ? : T for 
some T, resp. F hot T : Type) is derivable in the type system. 



► a) a —7- a of natural numbers in 
X) ^X written P 2. 
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r is well-formed a 



is well-formed F, a : Type is well-formed 



r,x : T is well-formed r,Z : [ti , T„] is well-formed 



r is well-formed rh,^b:B T^„^P:Prop 



r,a:AKka:A r,a:AKk^:B ' TV,^\P:Prop 
FK^X-.Type Fh^o-.Type F,a : Type T : Type F,x : z h^^t : a 



Fh,T^a:Type F {ya,T) : Type F {Xx : T.t) : T ^ a 

F^a-.TypeK^f.T F^„^f:x^o TK^aiT F^„^f:Ka.o F^„^x:Type 



rh„,(Aa.O:Va,T rK,(/a):c7 T (/t) : a[T/a] 

r,X : [ti,...,t„] 2: Pro;? F,x : zK^Q: Prop F,a -.TypeK^Q : Prop 



F (VX : [Ti , . . . , r„] , G) : Prop F (Vx : T, g) : Prop F (Va, 2) : Prop 
Fhy,P:Prop F\-„i,Q:Prop rK^fiiTi ••• rK,,f„:T„ T h^^ X : [ti, T„] 



r (P ^ G) : Prop F K,Xti ...t„ : Prop 

Type system for checking well-formedness 



Example 4. These formulas are well-typed : 

1. F,x ■.z,y:z x=ry: Prop, 

2. F,s : nat — o nat,0 : nat,x : nat \-okNx : Prop, 

3. F,X : PropJ : Prop \-,i,X (g)Y : Prop, 

4. h-„, Va/3, V/g : a ^ /3, (Vx : a,/x =/3 gx) ^ / =„^^ ^ : Prop. 

We have shown in lH that this simple system have numerous good properties of pure type systems (like 
subject reduction). 

Interpretations in standard models 

In this section, we build a small realizability model for our proof system which we will use later to 
prove the correctness with respect to the specification of the extracted proof. One of our goal is to make 
the model satisfy the extensionality principle, because we will need to be able to replace in our proofs 
higher-order terms by other extensionally equal terms. 

We define the set ^ of programs to be the set of pure A -terms modulo jS -reduction. In the following, 
we interpret terms in J^, types by partial equivalence relations (PER) on ^ and second-order variables 
by sets of element in stable by extensionality (you are not allowed to consider sets which are able 
to distinguish terms that compute the same things). Finally, formulas are interpreted as classical for- 
mulas: all informations about linearity and exponentials ai^e forgotten. Indeed, we forget all complexity 
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informations because the only purpose of model theory here is to have result about the compliance with 
respect to the specifications. 

Definition 5. Let F be a well-formed context. A F-model consists of three partial functions recursively 
define below. The first one is map from type variables to PERs, the second is a map from first-order 
variables to and the last one is a map from second-order variables to sets of tuples of programs. 

• If r is empty, then the only F-model is three empty maps. 

• If F has the form A,x : T and if ^ = {^0,^1,^2) is a A-model, then for any t G [t]^, 
{^0,^1 [x^t], is a F-model (in the following, we simply write it ^[x 1— )• t]). 

• If F has the form A, a : Type and if ^ = (^0,-^1,-^2) is a A-model, then for any PER R, 
(./#()[« 1-^ R\,Ji\,J/-2) is a F-model (we write it H>/?]). 

• If F has the form A,X : [ti,...,t„] and if ^ = {^0,^1,^2) is a A-model, then for any E C 
[■^il.-^ X ••• X such that E satisfy the stability condition 

If (?!,...,?„) G£A?i A...A?„~f t'„,then{t[,...4)€E 

{^0,^1, ^2[X iH> E]) is a F-model (we write it ^[X E]). 

Where is a partial equivalence relation whose domain is written defined recursively on the 

structure of i, 

• is equal to ^o(«), 

• is defined by ti t2 ysiS2,si ~/ S2 {ti si) {t2S2), 

• Va,T— I iRisPER "^T 

Intuitively ti t2 means the pure A -terms ti and t2 are of type T and they are extensionally equivalent. 

Now, we can define the interpretation [[f]].^ of a first-order term t such that F f : T in a F-model 
^ to be the pure A -term obtained by replacing all occurrences of free variables by their interpretation 
in ^ and by erasing type information. And we can prove substitution lemmas. 

Lemma 6. For any T-niodels 

1. Ifr, a : Type T : Type and F a : Type, then a]j,^ = 

2. Ifr, a: Type h„,t:a and F h^^ T : T, then [[?[t/ a]].^ = lt}„^[a^r^f] 

3. Ifr,x : ah„,t : T andr h,,, s : a, then ^[i/x]]].^ = 

4. Ifr t ■.x,t=pt' andr h,,, t' : T, then {tjy/ = {t'j^. 

And then we can deduce an adequacy lemma about well-typed terms. 
Lemma 7. If we have r\-„i,t:z and ^ a r -model, then \t\^// S [t]].^. 

Now we can define the notion of satisfiability in a model recursively on formulas' structure. 
Definition 8. Let P be a formula such that F ho,, P : Prop and ^ be a F-model. 

• Ji^Xtx...tn\'ii{lt\\£,...\tn\j^) £^{X), 

• ^\=P^Qm^\=P imphes ^\=Q, 

• ^ \=\fX : [ti,...,t„],P iff for all E C It\}^ x ... x [t„].^ satisfying the stability condition, 

^[X ^E]^P, 
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• ^ ^ Va; : T,P iff for all t G Iz}m, -^V ^ ^1 N 

• Jl^ Va,P iff for all PER R on ^, ^[a /?] ^ P, 

If £■ is a set of formulas well-formed in F, for all F-model we write ^ \= E for meaning that 
^ 1= Q for all 2 G And if T is another set of formulas well-formed in F, we write T \=y E if for all 
F-model ^ \= T implies ^ \= E (and we write T \=y P in place of T \=y {P})- 

Lemma 9. The formulas are unable to distinguish extensionally equivalent programs: for any formula 
P such that T,xi : Zi,...,x„ : t,i P : Prop and any F-model ^ the set 

{(?!,...,?„) € [Til X ••• X h^?„] ^P} 

satisfies the stability condition. 
Lemma 10. For any F-model .M, 

1. //F, a : Type K^. P : Prop and F K^. T : Type, then M ^ P[T/a] ^ J{{a ^^f\ ^ P, 

2. lfF,x:x h-„, P:Prop and F h,,, ? : ^ P[?/;c] ^J^{x^ {t}^^] \= P, 

3. IfF,X : [ti,...,t„] I-„jP : Pro;? andF,xi : Ti,...,;c„ : T„ 2 : Prop, 

^ ^ P[e/XA;i ...,a:„] 4^ ^[X ^E]^P 

where 

E = {{ti,...,t„) G [Ti] X ... X lXnj\^[xi ^ti,...,X„^tn] \= Q}, 

4. IfF h„, P : Prop, P =p P' and F h„, P' : Prop, thenJi^P^J^^ P'. 

Lemma 11. IfF ?i : t, F ?2 : T fl^nJ ^ is a F-model, then \=t\=xt2^ \f\ij( ^~f' {h}.^- 

Proof. 

• ^\=ti=Tt2^ \t\\^ ~-/ \tT\^ : Let £■ = {? G \x\jt.\ \t\\j( ~/ be the equivalence class of 

(as such E satisfy the stability condition). If ^ ^ fi =^ t2, then ^ E] \=Xt\ ^Xt2 
which means that pij.^ G E -which is true- implies ^2!^ G £' which means that pi].^ [f2l./#- 

• Ihl^ ~/ ^ ^ ^ ?i =T f2 : Suppose {tyj^ ItA-^a, then for all E C [t]].^ satisfying 
the stability condition, we have \t\\^£ G E imphes [fa]]^ G -E or in other words .J{\X 1— )• £"] |= 
Xt\ — o X f2- And therefore, we obtain ^ \=t\ =zh- 

□ 

Definition 12. Suppose we have F P\ : Pro/?, F t\ : T and F f2 : '^^ we say that Pi ~ P2 if 
there exists a formula 2 such that F,;c : T 2 : Pro;?, Pi = Q\l\ /x] and P2 = Q[t2/x]. 

Lemma 13. 

If^ \= ti =T t2 and Pi ~ P2 then ^ \= P^ ^ \= Pj. 

Proof Suppose Pi = Q[ti/x] and P2 = Q[t2/x]. Let E be the set {t G [[t]^|^[x ?] |= Q}. Since 
^ ^ ?i =T ?2, we have that ./#[X i-^- £] |= Xfi ^ X?2 which is equivalent to ^[x i-^- pi].^] ^ 2 
implies ^[x\-^ Ih^.^] \= Q, or ^ \= Pi imphes ^ ^ P2, or ^ |= Pi ^ P2. □ 
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Theorem 14. 

Theses models satisfy the extensionality principle : 

^ ^ Vai3,V/g : a ^ i3, (Vx : ajx =^ gx) f =„^^ g. 

Proof. It is a consequence of the last two lemmas. 

• The last one gives us that 

^ yap,yfg ■.a-^p,{yx:a,fx=p gx) (ixy : a,x =ay^fx =,5 gy). 

• Therefore we are left to prove that \= Vaj3, V/g : a — j3, (Vxy : a,x =« y ^ f x =p gy) -<> 
f =a^p g- Let Ra and be two PER, ?i , ?2 G [a ^ jS] 

^[ai-^i?a,/3H^Rn]- Suppose Ra,P I— > 

^1),? i-^' ^2] N ^■^3' • =a y ^ f X =p gy, we need to prove that, ^[a H> /?a,j8 1-^ 

_ ^ 11^ -11. ./^lan-ScBu-Sfil , ■ , ■ , ■ , 

Rp,f ^t\,g ^t2\\= f =a^p S 01' equivalenuy that ti ~„^|g ?2, which is also equivalent 

to the fact that for all (01,02) € Ra, {{ti «i),(f2 ^^2)) ^ which is exactly ^[a i-> /?aij8 i-> 

^i3,/^^i>^^^2] \=yxy: a,x=ay ^ fx=ji gy. 

□ 

Projecting formulas toward types 

In order to write the rules of our proof system in the next section, we are going need to have way to 
project second-order formulas toward types. 

Definition 15. Given a formula F, we define the type recursively built from F in the following way. 
{Xti...tn)- = ax {A^B)-=A-^B- {\fa,F)-=F- {^x : a,F)- = F' (IF)- =IF- 

(VX: [Ti,...,T„],f)- =yax,F-. 

Lemma 16. IfT A : Prop, T* : Type where T* is obtoined from F by replocing occurrences of 

"X : [ti , T„] " by "ax '■ Type" ond letting others unchonged. 

Example 17. 

• {h =t h)^ = Va, a ^ a = unit. 

• {Nx)- = (VX : [nat], \{yy,Xy [sy)) -^\{XQ^Xx))' = \/a,{a ^ a) ^ a a = nat, 

2 The proof system 

Sequents are of the form T;/S.\- t : P where F is a context (see definition O, A is an unordered set of 
assignments of the form x : Q where ? is a first-order term, x a first-order variable and P and Q are 
formulas. Our proof system has two parameters: 

• A well-formed typing context £ of types of functions we want to implement. In this paper, we use 
the set 

£ = { : nat, : nat —)• nat, /jrecf : nat —> nat, mwZ? : nat —)• nat —> nat, 
minus : nat — ?• nat na.t, plus : nat — t- nat nat, 
sum : (nat nat) — t- nat — > iiz.t, prod : (nat — t- nat) — t- nat — t- nat }. 
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• A set of equational formulas of the form V;ci : Ti, ...,V;Cn : T„,fi =^ t2 well-typed in Z. In this 
paper, we take to be the intersection of all sets T of formulas of this form such that \=i, T 
where is the set below. 










— nat 


Aa.Xf : a — > a.x : a.x 




Vn : nat , 


sn 


— nat 


Aa.Xf : a — > a.x : a.naf{fx) 




\/xy : nat, 


plus x{sy) 


nat 


s {plus xy) 




Vx : nat , 


plus X 


nat 


X 




Vxy : nat. 


mult X {sy) 


nat 


plus X {mult xy) 




Vx : nat , 


mult X 


nat 







Vx : nat , 


pred {s x) 


nat 


X 






pred 


nat 







Vxy : nat. 


minus x {s y) 


nat 


pred {minus x y) 




Vx : nat , 


minus x 


nat 


X 


Vx 


natjV/ : nat — !> nat. 


sumf {s x) 


nat 


plus {sum f x) (/ x) 




V/ : nat — >■ nat, 


sum f 


nat 





Vx 


nat,V/ : nat — > nat. 


prod f {s x) 


nat 


mult {prod f x) (/ x) 




V/ : nat — >■ nat, 


prod f 


nat 


sQ 



}• 



r,rKkP:/'roo ^ r;Ahr:2 I.,Th,^P : Prop 
Axiom — ;r; — x g A — Weakening 



T;x -.Phx -.P 



Application 



r;A,x : Phf.Q 

r;A,x:Pht:Q 



r;Ai,A2h (fi?2) : e . r;A h Ax : P'.f : P ^ Q 

r;Aihfi:!Pi ... r;A„hf„:!P„ Hxi : Pj, ...,x„ : P„ h f : P 



■ Abstraction 



r;Ai,...,A„ hr[ri/xi,...,?„/x„] : !P 



Promotion 



r;A,x: !Px: !Ph? : e r,a:Type;A^t:P 

Contraction ^ , , , , „ Vb-Intro 



r;A,x: IPhf.Q 
r,x: z;Aht:P 



r;Aht: Vx: T,P 



Vi -Intro 



r;Ahr : Va,P 

r,X: [Ti,...,T„];Ahr:P 
r;Ah(Aax.O:VX:[Ti,...,T„],P 



■ V2-INTR0 



r;Ahr:Va,P L,rh,^T -.Type 



Va-ELIM 



HAhfiVxiT.P £,rKk«:T 



r;Ahr:P[T/a] r;Ah?:P[a/x] 

H„k Q ■ Prop 



Vi-Elim 



r-A^ {tQ-):P[Q/Xxi...Xn] 

r;Ahr : Pj 



V2-ELIM 



^ Hx h =r t2 and Pi ^^-^ P 



2 r;Ahf:P2 



Equality 



The proof system parametrized by £ and 



The following lemma gives us the type of proof-terms. 
Lemma 18. If r;xi : Pi, ...,x„ : Pn\- t : P, then r*,xi : P^", ...,x„ : P^ \-„t t : P~. 
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And this one tells us that our proof system is well-behaved with respect to our notion of model. 

Lemma 19. (Adequacy lemma) 

Ifr-xi :Pi,...,x„ -.Pnhf.P, then U {A, ...,P„} 

Proof. The proof consists of an induction on the structure of the proof r;;ci : Pi , ...,x„ : P„ h f : P and an 
intensive use of substitution lemmas. □ 

A simple realizability theory 

Definition 20. Given a formula F and a term t, we can recursively define the formula written t \\- F upon 
the structure of F in the following way. 

• t \\-Xti ...tn =Xt\ ...tnt, 

• t\^P^Q = yx:P-,x\^P ^ (tx) Ih2, 

• f IHVX : [Ti,...,T„],P = Vax,VX : [Ti,...,T„,ax],mx IHP, 

• ?lhVx: T,P = V;c: T,f IhP, 

• f ll-Va,P = Va,f IhP, 
. HI-!P=!(?lhP). 

Lemma 21. For any formula P and any context T and any first-order term t, 



rh„,P:Prop 
r h,, t : P 



■r-h, {t\VP):Prop 



where T is obtained from T by replacing each occurrence of "X : [ti,...,T„]" by "ax '■ Type,X : 
[Ti , T„, Otjf ] " (and r* (^r as in lemma\T6\). 

Lemma 22. (Adequacy lemma for realizers) 
IfT;xi : Pi, ...,x„ : P„\- t : P, then 

Y,xi ■.P^,...,x„:P-;xi : [x^ Ih Pi), ...,x„ : (x„ Ih P„) h f : (f Ih P). 

Proof. It is a consequence of the good "applicative behavior" of realizability. The result comes easily 
with an induction on the structure of proof of r;xi : Pi, ...,x„ : P„ h ? : P. □ 

Programming with proofs 

Definition 23. Let D be a formula such that r,x : z Dx : Prop for some T. We say that D is data type 
of parameter x of type D relatively to a F-model ^ if we have : 

1. yrx ■.D-,{rhD)^r =^ x, 

2. ^ \= Mx : D ,x Ih D (or equivalently the converse Mrx : D ,r x — o (r Ih D) of 1.) 

We simply say that Dyi?,& data type in if D is a data type of parameter y relatively to ^ and for any 
term t such that T\-„^t : D , we write Dt instead of D[t /y]. 

Lemma 24. A'^x is a data type in all T^-models. 

Proof. The proof is similar that the one for PA2 in Q. □ 
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Lemma 25. If Ax and By are two data types in a T-model so is F f = \/x: A ,Ax B (fx). 

Proof. We have to verify the two conditions of the definition. 

1. If ^' is ar,r : A- ^ B- J : A- ^ B--modeI such that ^' \= r Ih Ff. Since rhFf = \fsx,s Ih 
Ax ^ {rs) Ih B {fx) and by invoking the second condition for A and the first for B we have ^ \= 
ysx,s X {rs) =g- {fx) which is equivalent by extensionality to \= r =a-^b- /■ 

2. Let be a F,/ : — )• -model, we have to prove that \= f Ih F/ or equivalently that 

\= Vrx : A^x, rlhAx— o (/r) IhB {fx). But according to the first condition for A it is stronger 
that ^ \= Mrx : A^x, r x —o {fr) Ih 5 {fx) which is implyed the second condition for B. 

□ 

The following theorem state that if we can find a model ^ satisfying (informally it means that we 
know our specifications to be implementable), then the program t extracted from the proof of a formula 
stating that a function / is provably total implements this function. 

Theorem 26. Let D\X\, D„x„, and D be n + l data types. IfY \-„i, f : —)■... ^ D,7 D If 

r;h? : Vxi :Dj",...,x„ :D,7,DiXi ... ^D„x„ ^ D (/xi ...x„), 
then for all T,,T,f : — )■ ... — )> D,7 — )• D^-model ^ such ^ \= , 

N ^ —D\^...^DT,^D- /• 

Proof. By lemma |22] we have F: h ? IhDiXi — o ... ^D^Xn —oD{fxi ...x„) which is equivalent to 
F;l- Vnxi : D7,...,Vr„x„ : D„ ,n IhDiXi ... r„ lhD„x„ {tri ...rn) lhD(/xi ...x„) 

by lemma [19] we have 

^ 1= Vrixi : D7,...,Vr„x„ : D^,ri IhDiXi ... r„ \\- D„x„ ^ (fn lhZ)(/xi ...x„) 



but since every one is a data type we obtain 

^ ^ Vrixi : D7,...,Vr„x„ ■.D^,ri =£,- xi ^ .. 

which is equivalent to ^ ^ f ~Dr^ -^d^^d- /• 

3 Elementary Time Characterisation 

Correctness 



rn =D- {tr\ ...rn) =D- {f X\ ...X„) 

□ 



We describe here how we can bring our system back toward Elementary Affine Logic in order to prove 
that extracted programs are elementary bounded. In this section, we will consider the grammar of second- 
order elementary logic which is basically a linear version of system ^ types. 

T,<T,... := a I Va,T I cr^T | !t 

Definition 27. Given a formula F , we define the type F° recursively built from F in the following way. 

{Xti...tn)° = ax {A^B)° =A° ^B° (Va,F)° = F° (Vx:a,F)°=F° {\F)° =\F° 



(VX:[Ti,...,T„],F)°=Vax,i^°. 
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We map the rules of our system by removing first-order witfi our map • i-^ •°, tfie rules of equality, 
introduction and elimination for first-order V and type V then become trivial. We also erase some type 
information on typed terms in order to obtain the following a la church type system which is known as 
elementary affine logic. 



Axiom — '-. Weakening : ; — ; Contraction 



x:z\-^^x:z A,x : T K,, ? : a A,x -Ao \-^^t : z 



Aih?i:!Ti ... A„h 

— — --— Promotion 

Ai,...,A„ \-,,tt[ti/xi,...,t„/x„\ :!t 

AiK„, 5:T^a A2K,, f:T A,x:aK,, ?:t 

Application — 77 ^ Abstraction 



Ai,A2 Kai (^0 : A heal : (7.f) : <7 ^ T 



a A ^ ^ V-lNTRO —-^ r^TT- V-Elim 

A K^i t : Va, T A K^i t : r[o/a\ 

Elementary Affine Logic 

We use this translation from our type system to elementary affine logic to obtain the following lemma. 

Lemma 28. If r;A t : P, then A° t : P° where t is the pure term obtained by removing type 
information from t and A° is obtained by sending x : P to x : P°. 

The data type Nx representing integers is sent to {Nx)° = Va, !(a ^ a) ^!(a ^ a) (denoted N°). 

Definition 29. We say that a program t ^ ^ represent a (set-theoretical) total function / if for all integers 
mi, m„, the term (? [mi] ... \m„~\) may be normahzed to the church numeral [/(mi, ...,m„)]. We say 
that f € if it represents a total function / belonging to the set of elementary computable functions 
(where [m] is the m-th Church integer). 

The following lemma is a bit of a folklore result. The closest reference would be the appendix of |[3l . 

Lemma 30. ? ^ ... ^\''"N° ^!*A^° then t G (f. 

Proof, (very rough sketch) You can bring the normalization of {t [mi] ... [m„] ) back to the normalization 
of a proof net corresponding to the proof tree that K^i {t [mi] ... [m„] ) : I'^N". Promotion rules are repre- 
sented as boxes in the proof net. These boxes stratify the proof net in the sense that we can define the 
depth of a node to be the number of boxes containing this node. And the depth of the net is the maximal 
depth of its nodes. If N is the size of the proof net, then there is a clever strategy to eliminate all cuts at a 
given depth (without changing the depth) by multiplying the size of the net by at most 2^^. We therefore 
obtain the exponential tower by iterating this process for each depth. □ 

Finally by combining the last two lemmas, we prove the desired correctedness theorem. 
Theorem 31. If we have 

r,f : nat ^ ... nat;\- t : Vxi : nat...\/xn : nat, I'^^Nxi ^ ... -^\''"Nxk -^^^N{fxi ...x„) 

then t ^ where t is the untyped X-tenn obtained by erasing type information from t. 
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Elementary second-order functionnal arithmetic 



Completeness 

In this section we give two proofs of the fact that all elementary recursive functions may be extracted 
from a proof of totality. 

In order to ease the reading on paper, we omit term annotations ( the "x : " in A and "t :" on the 
right-hand side of the symbol h) since, given a proof tree, theses decorations are unique up to renaming 
of variables. We also allow ourselves to let the typing context F and proofs of the typing sequents K,^ 
implicit. Theses three derivable rules will be very useful in the following. 

Lemma 32. These rules are derivable: 

AHA A,A,BhC AihA AzhB 



!Ah!A A,A(g)ShC Ai,A2hA(g)S 
First proof of completeness: using the completeness of EAL 

The following theorem gives us a link between typable terms in ELL and provably total functions in 
our system. And if we admit the completeness of EAL, it gives us directly that all elementary recursive 
functions may be extracted from a proof of totality. 

Theorem 33. Let t such that t : nat ... — o nat — o!*not, then 

\-yXi...Xn,Nxi ... -^NXn ^\''^^ N {t Xi ...Xn). 

Proof. Let A'^ be the formula VX, !(X ^ X) ^ X). We have a natural embedding of EAL in our 

system by translating type variables to second-order variables. Therefore, we have \- t : N ^ ... ^ N ^ 
I'^N and then \- [t \\- N ^ ... —o N — oI^^A^) (*). We are going to need the two simple lemmas below: 

1. Wehave h Vr,(rlhA^) ^A^(riiat50). 

The idea of the proof is that (r Ih A'^) is equal to 

Va,VX : [a], V/ : a, l{yy,Xy ^ X {fy)) ^\{yz,Xz ^ X (rafz)) 

and by taking a = nat, y = s and z = 0, we obtain A'^(rnat5'0). 

2. And wehave h Vr,A^r^!(r IhA^). 

Let //be \{\/y,y \^ N ^ (sy) \^ N) -^\{0 \^ N ^ r\^ N). 



OlhA^^rlhA^hrlhA^ Nr^Nr ^ ^V^V N ^ (sy) Ih A^) 



!(OlhA^^rlhA^)h!(rlhA^) NrhH H(yy,y \h N ^ (sy) \h N)) 



h! (0 Ih A^ ^ r Ih A^) ^!(r th A^) A^r h!(0 Ih A^ r Ih A^) 

A^r h!(r IhA^) 
hVr,A^r^!(r IhA^) 
where tti and 712 use the rule Equality with 

(Oa/z) =az and J^^y (syafz) =a (yafifz)). 
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Now to prove the sequent h \/xi...Xn,Nxi —o ... —o Nx„ -o\^^^N {txi ...Xn), it is enough to find a proof 
of h Vxi...x„, INxi ... ^\Nxn ^\^N {txi ...Xn) (using the PROMOTION rule). By invoking 2, we just 
have to prove that h Vxi...x„, {x\ h N) ^ ... —o {xn\\- N) —o\'^N{tx\ ...x,,) and then by invoking 1, we 
have to prove h Vxi...x„, {x\ \\- N) ^ ... ^ {xn\\- N) ^ {tx\...Xn) \\-\^N which is equivalent to (*). 

□ 

Second proof of completeness : encoding Kalmar's functions 

The characterization due to Kalmar Q states that elementary recursive functions is the smallest class of 
functions containing some base functions (constants, projections, addition, multiplication and subtrac- 
tion) and stable by a composition scheme, by bounded sum and bounded product. In the remaining of 
the document, we wiU show how we can implement this functions and these schemes in our system. 

• It is very easy to find a proof oi\- NO and a proof h \lx,Nx —oN{sx). We can obtain a proof 
\- N{sO) by composing them. 

• The following proof gives us the addition (in order to make it fit we cut it in two bits, and the : 
mean the proof can be easily completed). We use "x + y" as a notation for the term (plusxy). 



n Ny,\FH{XO^Xy) X y ^ X{x + y),XO ^ Xy h XO ^ X{x +y) 
Nx,Ny, \F, \F h\{XQ^X{sx)) 
h Vxy : nat.Nx ^ Ny ^ N{x+y) 



Nx h Nx ; 

NxH{\/z,X{z + y)^X{{sz)+y))^liX{0+y)^X{x + y)) IF H{yz,X{z+y) ^ X{s jz + y))) 
NxH{Wz,X{z + y) -oX{{sz)+y)) ^IjXy ^X{x + y)) ~ IF H.(yz,X{z + y) ^ X{{sz) +y)) 

Nx, \F \-\{Xy^X{x+y)) 
n 

Note that we have used in the left branch the Equality rule with ^ \= ^xy, {sx) +y = s{x + y) 
and J'^ \=\/y,0+y = y. We extract the usual A-term for addition Xnm : nat.Aa.A/ : a a.Xx : 
a.nf{mfx). 

• By iterating the addition, it is very easy to find a proof of "ixy : nat,A^;c — o Ny ^\N (multxy). 
Alas in order to build the scheme of bounded product in the following, we will need to find a proof 
of yxy : nat,A'^x Ny —o N {multxy). The proof has been found and checked using a proof 
assistant based on our system, but it is too big to fit in there. The A -term extracted from this proof 
is Xnm : nat.Aa.A/ : a — > a.na{m{a a) {Xg : a a.Xx : a.f{g.x))) {Xx : a.x). 

• We can implement the predecessor function by proving h yx,Nx ^ N (predx). The proof is not 
so easy: you have to instantiate a second-order quantifier with x i-)- {Xp{x) —o Xx) ®Xp{x). It 
corr esponds to a very standard technique for implementing the predecessor of n in A -calculus: we 
iterate the function {a,b) i-)- (a+ I,a) « times on (0,0) and then we use the second projection to 
retrieve n—\. 

• Then it is easy to implement the subtraction by proving h \/xy,Nx —o Ny -olN {minus xy) with the 
induction principle Ny. 
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The following proof is called coercion (in H), it will allow us to replace occurences of Nx at a 
negative position by \Nx. Let H be the formula yy,Ny — o A'^ (sy). 



proof for zero 

NO^NxhNO ^ Nx h A^O proof for successor 

NO -o Nx h A^x Nx h Nx \- H 

l{NO^Nx)\-\Nx Nx\-\H ^l{NO^Nx) \-lH 

hl{NQ^Nx) ^\Nx A^xh!(A^O-oA^x) 

NxhlNx 
\-\/x,Nx^lNx 

Using this we can now bring every proof of totality 

h Vxi,...,^„,!*^W^i ^ ... ^\^"Nx„ -^\^N{fxi ...xn) 

to a "normal form" 

hyXu...,Xn,Nxi -o ...^NXn ^\''N{fxi ...X„). 

The composition scheme is implemented by the following proof (where s = Y/j^i h and where A^^^ 
means A is duplicated p times). 

proof for gi proof for gp 

Nxi,...,NxgH'''N{giXi...x,i) ... Nxi,...,NxciH''"N{gixi...Xci) n 
(A^xi)W,...,(A^x,)(P)hP+^A^(/(gixi...x,)...(gpXi...x,)) 
(Wxi)W,...,(Wx,)Wh!'+^-+'A^(/(gixi...x,)...(gpXi...x,)) 
Wxi,...,Wx^H-'+^+^A^(/(giXi...x,,)...(gpXi..^^ 
A^xi,...,A^x^H-'-+^-+'A^(/(gixi...x,,)...(g;,xi...x^)) 
h Vxi...x„,A^xi ^ ...^Nx^ ^!-^+*+iA^(/(giXi...x,)...(gpXi...Xg)) 



proof for f 

N{g\Xl ...Xq),...,N{gpXl ...Xy) |-!^W(/(glXl...X^)...(gpXl...X^)) 

!W(gixi...x,),...,!W(gpXi...x,)hP+*^A^(/(gixi...x,)...(gpXi...x,)) 
!W(gixi...x,),...,!W(gpXi...x,)hP+^A^(/(gixi...x,)...(gpXi...x,)) 
h!'^W(gixi ...xq) ^ • • • ^!'^''A^(gpXi ...xg) ^P+*^A^(/(g,x,...x<,)...(gpXi...x,)) 

7Z 

Finally, the bounded sum is implemented by the following proof of \l{yy,Ny ^^■'^N {fy)) —o 
\/n,Nn ^\^^^N{sumfn). The key idea in this proof is to use the induction principle of Nn with 
the predicate x Nx®\'^N{sumfx). Let H be the formula \ly,Ny ^\^N {fy) and Ki be the 
formula 

'iy^iNy&^'Nisumfy)) ^\{N {sy)(^\^N{sumf {sy))) 
and 7^2 the formula \{m&}N {sum f Q)) -^\{Nn&^N{sumfn)). 
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Nn \- Nn 



Nn HKi -<.\K2 
Nn,llH\-lKo 



proof for zero 



proof for zero 
hA^O 
H''NO 



\-NO(E)l''NO 
H{NO(g>\''NO) 
-l{NO(g)l''N{sumfO)) 



sumfn) 
Nn,\'^N{sumfn) ^l''N{sumfn) 
Nn^\''N (sumfn) \-l''N{sumfn) 
\{Nn®\''N {sumfn)) h\''+^N{sumfn) 



K2 H'^+'^N {sumfn) 



\\H,Nn \-\''+^N{sutnfn) 



h!!(Vy,A^y -^l''N{fy)) -<> \fn,Nn -^\''+^N{sumf n) 



proof for addition 
N{sumfy),N{fy) ^N{{fy) + jsumfy)) 

\kN{sumfy), I'^Njfy) H''N{{fy) + {sumfy)) \ 

proof for successor 

\''N{sumfy) H^ify) -^\''N{{fy) + {sum fy)) H,Ny H''N{fy) 
NyhN{sy) H,Ny, \''N{sumfy) H}N{{fy) + {sumfyj) 

Ny, \''N{sumfy) hN{sy) H,Ny, l''N{sumfy) h\''N{sumf (sy)) 

Ny®\''N {sumfy) ^ N {sy) H,Ny®\''N {sumfy) h\''N{sumf {sy)) 

H, Ny®\''N {sum fy),Ny®\''N {sumfy) h N {sy)&.''N{sumf {sy)) 
\H,\{Ny®\''N {sum fy)),\{Ny®\''N {sumfy)) \-\{N {sy)(g)\''N{sumf {sy))) 
\H,\{Ny®\''N {sumfy)) H{N {sy)(»\''N{sumf {sy))) 

and we obtain the bounded product by replacing proofs for zeros by proof for ones and the proof 
for addition by a proof for multiplication. 
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